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Abstract 

In [3], the authors proposed a highly efficient secure and privacy-preserving scheme for secure vehicular communi¬ 
cations. The proposed scheme consists of four protocols: system setup, protocol for STP and STK distribution, protocol 
for common string synchronization, and protocol for vehicular communications. Here we define the security models for the 
protocol for STP and STK distribution, and the protocol for vehicular communications, respectively. We then prove that these 
two protocols are secure in our models. 
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1 Security Model 

1.1 Security Model for the Protocol for STP and STK Distribution 

The security and privacy of the protocol for STP and STK distribution is defined in the game below. It is run 
between a challenger CH and an adversary Att who has full confrol of the network communications. Att can be 
of fhree t 5 rpes: 

• Type 1 adversary aims fo break the message confidentiality property of our profocol. In our protocol, since we 
assume that the underlying symmetric encryption/decr 5 rption scheme is secure, a type 1 adversary refers to 
an adversary who can violate the message confidentiality property of the underlying signcryption scheme. 

• Type 2 adversary aims to break the message authentication and non-repudiation properties of our protocol. 

• Type 3 aims to break the privacy property of our protocol. Similar to a type 1 adversary, a type 3 adversary 
refers fo an adversary who can violate the privacy property of fhe underlying signcryption scheme. 

The game has the following sfages: 

Initialize: On input a security parameter i, CH generates the system parameters pub and passes pub to Att. 

Attack: According to the protocol for STP and STK disfribufion, at this stage, Att is allowed to obtain the 
following information from CH. 

• Qi. The signcrypted message in the Request phase. 

• <32: The de-signcr 5 rpted message in the Verify phase (in the case that an RSU is corrupted). 

• Q 3 : The ciphertext sent to the vehicle and the corresponding plaintext in the Replay and Update phases, 
respectively. 

• Q 4 : For an identity-based system, usually we also allow Att to obtain the (long-term) private keys of the 
vehicles and RSUs (except the target one(s)). 

Response: This phase has three cases: 

• If Att is of type 1, Att refurns two messages (mo, mi) and an RSU's identity. CH randomly chooses mt G 
{mo,mi} and generates a signcr 5 rpted message C. We note that in our protocol, the vehicle's long-term 
pseudonym is included in the message. In mg and mi, the vehicle's long-term pseudonyms are the same. 
Att may continually make the queries in the Attack stage. Att wins the game if he can distinguish whether C 
corresponds to mo or mi without querying the private key of the RSU or the plaintext corresponding to C. 
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• If Att is of t5^e 2 , Att returns a signcr5rpted message C and an RSU's identity I Du. Let m = {n, LTP,t) be 
the plaintext corresponding to C. Att wins the game if C can pass the Verify phase and Att has never queried 
the private key corresponding to LTP or the signcrypted message corresponding to {m,LTP,IDfi). 

m If Att is of type 3 , Att returns two messages toq and mi and an RSU's identity. We note that in our protocol, 
the vehicle's long-term pseudonym is included in the message. Let the vehicles' long-term pseudonyms in niQ 
and mi be LTPq and LTPi, respectively. The only difference between mo and mi is that the two vehicles' 
long-term pseudonyms in mo and mi are different. CH randomly chooses m^ G {mo,mi} and generates a 
signcr5rpted message C. Att may continually make the queries in the Attack stage. Att wins the game if he 
can distinguish whether C corresponds to LTPq or LTPi without querying the private key of the RSU or the 
plaintext corresponding to C. 

Definition 1 : The protocol for STP and STK satisfies message confidentiality if no type 1 adversary can win the 
above game in polynomial time with non-negligible probability. 

Definition 2 : The protocol for STP and STK satisfies message authentication and non-repudiation if no type 2 
adversary can win the above game in pol5momial time with non-negligible probability. 

Definition 3 : The protocol for STP and STK satisfies privacy if no t5rpe 3 adversary can win the above game in 
polynomial time with non-negligible probability. 

We note that the definition of privacy in this paper is slightly weaker than the definition of ciphertext anonymity 
(a stronger definition of privacy) in IT]. However, in our protocol, we do not need to consider the privacy of an 
RSU. Hence, our definition of privacy is sufficient for our protocol. Further, it is easy to see that if the protocol for 
STP and STK distribution achieves message confidentiality, then the protocol also achieves privacy. 

1.2 Security Model for Protocol for Vehicular Communications 

The security of our protocol is modeled via the following game between a challenger CH and an adversary Att. 
Initialize: On input a security parameter i, CH generates the system parameters pub and passes pub to Att. 

Attack: According to the protocol for vehicular communications, at this stage, Att is allowed to obtain the 
following information from CH. 

• Q5: The short-term private key of a vehicle (corresponding to an identity-based system). 

• Qq: The signatures generated by the vehicles in the Sign phase. 

• Q7: The real identity corresponding to a vehicle's short-term pseudonym in the Trace phase. 

We note that we do not need to model the signature verification and aggregation procedures in the Verify, Store 
and Re-aggregate phases, because Att can do these operations himself. 

Response: In our protocol, since we assume that the underlying symmetric encr5rption/decryption scheme is 
secure and the KGC is fully trusted, Att cannot violate the privacy of a vehicle. Hence, Att can break our protocol 
if and only if he can output a forged aggregate signature. Assume Att outputs a set of n vehicles' short-term 
pseudonyms from the set = {STPf ,..., STPf}, n messages from the set = {to}, ..., to* }, and an aggregate 
signature a*. We say that Att wins the game if and only if 

1 ) cr* is a valid aggregate signature on messages {to}, ..., to* } under {STPf ,..., STPff]. 

2 ) At least one of the identities, without loss of generality, say STPf S ^*ID has not been submitted in the Qs 
queries, and (to} , STPf ) has never been submitted in the Qe queries. 

The above model captures the individual authentication and non-repudiation properties of our protocol. As to 
the vehicle privacy and traceability properties, they are achieved using short-term pseudonyms. This method is 
widely used in VANET systems. 

2 Security Proofs 

The security of our protocols is related to the bilinear Diffie-Hellman (BDH) and the computational Diffie-Hellman 
(CDH) problems. 

Let Gi, G2 be two additive cyclic groups and Gt be a multiplicative cyclic group, all with the same prime order 
q; Pi, P2 be random elements in Gi and G2, respectively; '0 be a computable isomorphism from G2 to Gi. A map 
e : Gi X G2 —>■ Gt is called bilinear if 1 ) e{aPi,bP2) = e(Pi,P2)“*’ for any a,b G 'Ljqlj) 2 ) e(Pi,P2) 7^ Igt/ 3 ) There 
exists an efficient algorithm to compute e{Pi,P2). 

• BDH2 2,1 problem || 2 |: Given {Pi,P2,aP2,bP2,cPi), compute e(Pi,P2)“^'^ for unknown a,b,cG IjlqL. 

> CDH2 2 1 problem || 2 ]: Given (Pi, P2,0^2, ^Uz)/ compute abPi for unknown a,b £ lAlqL. 
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2.1 Security of the Protocol for STP and STK Distribution 

Our results are all in the random oracle model. In each of the results below we assume that the adversary makes 
qt queries to Hi for i e { 1 , 2 , 3 , 5 }. Assume the numbers of Qi and Q2 queries made by the adversary are denoted 
by qs and qd, respectively. 

Theorem 1 . If a type 1 adversary wins the game defined in Section [01 with probability e, then a CH rimning in 
polynomial time solves the BDH2 2 1 problem with probability at least 

1 

e •-. 
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Proof. Let (Pi,P2,0^2, &T2,cPi) be the instance of the BDH2 2 1 problem that we wish to solve. 

Initialize: On input a security parameter £, CH chooses = (Gi, G2, Gt, e, Pi, P2, Pi, P2, ' 0 , Hq, Ek{-)/Dki-), 
h-,h,h, I Dkgc, Pkgc) 38 the system public parameters, where U2 = bP2,Ui = '0(^2)- We describe how CH uses Att 
to compute e(Pi, P2)“^‘^. 

Attack: CH answers Alt's query as follows: 

Hi{LTPi) queries: 

Choose Xi at random from Z/gZ and ki from the key space oi Ek{-)/Dk{-); compute Py^ = XiPi, compute LTKi = 
xUi) store {LTPi,Pvi,LTKi,Xi,ki) in Li and respond with Py.. 

H2{IDr.) queries: 

At the beginning of the simulation, choose / uniformly at random from { 1 ,..., 52}. We show how to respond to the 
i-th query made by Att below. Note that we assume Att does not make repeated queries. 

• If i = I then respond with aP2. 

• Else choose a:'uniformly at random from Z/gZ; compute Pr. = a;'P2; compute Pi = a;'P2;store (/Pr. ,PR;,Pi,a:') in 
L2 and respond with Pr.. 

H3{Yi\\mi) queries: 

• If {Yi,mi,hi) G L3 for some hi, return hi. 

• Else choose hi uniformly at random from Z/gZ; add {Yi,mi, hi) to P3 and return hi. 

H3{uji) queries: 

• If (wi, h'i) € L5 for some h), return h). 

• Else choose h) uniformly at random from { 0 , 1 }*^; add (w^, h)) to P5 and return h). 

Q4 queries: 

The input of this query is a pseudonym/identity of a vehicle/RSU. We will assume that Att makes the query 
Hi{LTPi)/H2 {IDr.) before he makes the Q4 query corresponding to LTPi/ID r.. 

• If the input is equal to IDrj, abort the simulation. 

• If the input is LTPi, search Pi for the entry {LTPi, Pvi, LTKi, Xi,ki) and return LTKi. 

• Else search P2 for the entry {IDr., Pr., Bi,x'i) corresponding to IDr. and return Hi. 

Qi queries: 

The input of this query is {mi,IDR.), where LTPi is included in rrii. We will assume Att makes the queries 
Hi{LTPi) and H2{IDr.) before he makes this query. 

• Eind the entry {LTPi, Py^, LTKi,Xi,ki) in Pi. 

• Choose Ti imiformly at random from Z* and compute Yi = ViPy.. 

• Compute hi = H^fYiWmi) (where H3 is the simulator above). 

• Compute Zi = {vi + hi)LTKi. 

• Compute Pr. = H2{IDr.) (where H2 is the simulator above). 

• Compute 00i = e{riLTKi,PR.). 

• Compute yi = H3{uji) © {Zi\\mi) (where H^ is the simulator above). 

• Return a signcrypted message {Yi,yi). 

Q2 queries: 

The input of this query is a signcrypted message {Yi,yi) and an identity of an RSU IDr^. We assume that Att 
makes the query H2{IDr.) before making a Q2 query. We have the following cases. 

Case 1 : IDr. ^ IDrj 

• Find the entry {IDR.,PR.,Bi,x'i) in P2. 

• Compute oji = e{Yi, Bi). 
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• If Wi ^ Ls, return ±; else compute Zi\\mi = yi (B H^{wi). 

• Let the pseudonym in rm be LTPi. If LTPj ^ Li, return _L. Else compute Py^ = Hi{LTPi). 

• If {Yi,mi) ^ L3, return ±. Else compute hi = H3{Yi\\mi). 

m If e(Zj, P2) e{Yi + hiPvi,U2), return _L. Else return rm, (Yi, Zi). 

Case 2 : I Dr. = IDr^ 

• Step through the list L5 with entries (wi, h'i) as follows. 

- Compute Zi\\mi = yi (B hi- 

- Let the pseudonym in rrii be LTPi. If LTPi G Li, let Py. = Hi{LTPi) and find LTKi in Li, else move to 
the next element in L5 and begin again. 

- If {Yi,mi) G L3, let hi = H3{Yi\\mi), else move to the next element in L5. 

- Check that Wj = e{Zi — hiLTKi, aP2) and if not, move on to the next element in L2 and begin again. 

- Check that e{Zi, P2) = e{Yi + hiPy^, U2), if so return mi,{Yi, Zi), else move on to the next element in L5. 

• If no message has been returned after stepping through L5, return _L. 

Qs queries: 

Eind the corresponding symmetric key ki in Li. Output the corresponding ciphertext or plaintext using ki. 

Response: Att outputs two identities LTP*, ID^ and two messages toq, 'm-i- h ^ IDrj, CH aborts. Otherwise 
it chooses y* € {0,1}*^ and sets Y* = cPi. It returns the signcrypted message a* = (Y*,y*) to Att. Att may 
continually make the queries in the Attack stage with the restriction defined in the model. These queries are 
answered in the same way as those made by Att in the above stage. At the end of this phase, Att outputs a bit b. 
CH searches Li for the entry {LTP* , Py , LTK* , x*,k*) , she chooses some uj* at random from L 5 and returns 


as her guess at the solution to the BDH|2 ,i problem. 

In the above simulation, if CH does not abort, then Alt's view is identical to the real-world attack. Similar to 
the security proof of Theorem 2 in |T 1 / we have that CH does not abort with probability at least 

1 

92’ 

Since oj* is randomly chosen from L5, we have that the possibility for CH to solve the BDH^2 1 problem is at least 

1 

e •-. 
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Theorem 2 . If a type 2 adversary wins the game defined in Section [01 with probability e, then a CH running in 
polynomial time solves the CDH2 2 1 problem with probability at least 

2/. 9 s( 93 + 9 s ) ^2 1 

^ 9 ^ ' ^ql{qs + qs)^' 

Proof. Let [Pi, P2, aP2,bP2) be the instance of the CDH2 2 1 problem that we wish to solve. 

Initialize: On input a security parameter £, CH chooses = (Gi, G2, Gt, e, Pi, P2, Gi, C/2, " 0 , Tfi Hq, / Dk{-), 

li,l2,h, IDkgc, Pkgc) as the system public parameters, where U2 = 6P2,Pi = '0(^2)- We describe how CH uses Att 
to compute abPi. 

Attack: CH answers Alt's query as follows: 

Hi {LTPi) queries: 

At the beginning of the simulation, choose / uniformly at random from { 1 , ...,qi}. Note that we assume Att does 
not make repeated queries. 

. Hi = I then respond with Hi{LTPi) = 'ip{aP2); choose ki from the key space of Ek{-)/Dk{-); store {LTPi, TV,, -L, 
±,ki) in Pi. 

• Else choose Xi rmiformly at random from Z/gZ and ki from the key space of Ek{-)/Dk{-); compute Py. = XiPy 
compute LTKi = XiUi, store {LTPi, Py., LT Ki, Xi, ki) in Pi and respond with Py.. 

H2{IDr.) queries: 

Choose x'i rmiformly at random from Z/gZ; compute PR^ = a:'P2; compute Hi = x-P2; store {IDR.,PR.,Bi,x'i) in 
P2 and respond with Pr. . 

Hii{Yi\\mi) queries: 
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• If {Yi,mi,hi) € L3 for some hi, return hi. 

m Else choose hi uniformly at random from Z*; add {Yi,mi,hi) to L3 and return hi. 

H^{uji) queries: 

. If {'JO^,h'i) e L5 for some /i', return ft,'. 

• Else choose ft' uniformly at random from {0,1}^^; add h[) to L5 and return ft'. 

Qi queries: 

The input of this query is a pseudonym/identity of a vehicle/RSU. We will assume that Att makes the query 
Hi{LTPi)/H2{IDji^) before he makes the Qi query corresponding to LTPi/IDn.. 
m If the input is equal to LTPi, abort the simulation. 

■ Else if the input is LTPi, search Li for the entry {LTPi, Pvi, LTKi,Xi,ki) and return LTKi. 

• Else search L2 for the entry i?i, cc') corresponding to I Dr. and return Bi. 

Qi queries: 

The input of this query is {rrii, IDr.), where LTPi is included in nii. We will assume that Att makes the queries 
Hi{LTPi) and H2{IDr.) before he makes this query. Two cases arise: 

Case 1: LTP, 7^ LTp'i 

Use the simulator of Qi in the proof of Theorem 1. 

Case 2: LTP, = LTPj 

m Choose ri, hi uniformly at random from Z*. 

• Compute Yi = r^Pi — hiHi{LTPi) and Zi = ViUi. 

. Add {Yi,m^,hi) to L3. 

• Eind the entry (/Ur;, Pr;, Pi, a;^ in ^2- 

• Compute uji = e{Yi, Bi). 

• Compute Ui = P5(wi) 0 (Zi||mi) (where P5 is the simulator above). 

. Return {Yi,yi). 

Q2 queries: 

« Eind the entry (/Pr;,Pr;,P i,a;') in P2- 

• Compute Wi = e{Yi, Bi). 

• If Wi ^ P5, return _L; else find yi corresponding to Wi and compute Zi\\mi = yi® H^{uJi). 

• Let the pseudonym in rrii be LTPi. If LTPi ^ Li, return _L. Else compute Py^ = Hi{LTPi). 

• If {Yi,mi) ^ P3, return _L. Else compute hi = H^{Yi\\mi). 

• If e(Zi, P2) ^ e(U + ftiPvi, U2), return _L. Else return m^, (1), Zi). 


Qs queries: 

Eind the corresponding symmetric key fci in Li. Output the corresponding ciphertext or plaintext using ki. 


In the above simulation, if CH does not abort, then Att's view is identical to the real-world attack. Similar to 
the security proof of Theorem 3 in ||TJ, we have CH does not abort with probability at least 

+ _ J_ 

q qi' 

With probability 

_ qs{q3 + qs) i^ ^ J_ 

q qi 

Att outputs a forgery to*, {Y*, Z*), where the pseudonym in to* is LTPj. 


Response: According to the Splitting Lemma, CH replays Att with the same random tape but different choice 
of the response of P3. With probability 

2 ,. qs{q3Yqs) s2 1 

^ q ^ ' ^{qz + qs)^ 


the two rims yield two forgeries m*,(Y*,Z*) and m*, {Y*, Z*) with Z* ^ Z* and ft* 7^ ft*, where ft* and ft* 
are the outputs of P3 corresponding to {Y*,m*) in the first and second runs of the simulation respectively. Let 
Py* = Hi{LTPi). Since the two forgeries should be valid, we have 


e{Z*,P2) = e{Y*+ h*Py^,U2) 






6 


and 

e{Z*,P2)=e{Y*+ h*Pv^,U2). 

Since Py* = aPi, we have 

abPi = {h* - h*)-^{Z* - Z*). 

Theorem 3. If a type 3 adversary wins the game defined in Section lOI with probability e, then a CPI running in 
polynomial time solves the BDH^ 2 1 problem with probability at least 

1 

e •-. 
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Proof. The proof is the same as that of the Theorem 1 . 


2.2 Security of the Protocol for Vehicular Communications 

In each of the results below we assume that the adversary makes qHi queries to Pli for i G { 1 , 2 , 3 }. We assume Att 
can ask at most qk times Q5 queries, and qs times Qe queries. 

Theorem 4. If there exists an adversary Att who has an advantage e to break our protocol, then the CDH^ 2 1 
problem can be solved in polynomial time with probability at least 

e ' > (1 - —)«^(1 - — - ^-(1 - —- ^(1 - —) e . 

9ffi 9ffi 9^2 9ff' 9ffi 9^2 9ff' 

Proof. Let (Pi, P2, aP2,6P2) be the instance of the CDHl’2 1 problem that we wish to solve. 

Initialize: On input a security parameter CH chooses = (Gi, G2, Gt, e. Pi, P2, Pi, C/2, t/’, Pi ~ Pe, Pfc(')/Pfc('), 
I1J2,13, IDkgc, Pkgc) as the system public parameters and A from the key space of Ek{-)/Dk{-), where U2 = 6P2, Ui = 
'f(U2). We describe how CPI uses Att to compute abPi. 

Attack: CH answers Att's query as follows: 


Hi{STPi,j) queries: 

Let Hi be the list of previous answers to these queries. CH picks / S [ 1 ,9/iJ imiformly at random. Whenever CH 
receives an Hi query on {STPi,j) for j G { 0 , 1 }, CH does the following: 

1 ) If there is a tuple {STPk, ak.o, ak,i, a'1.1, Pk,o, Pk,i) on the list Hi such that STPi = STPk, return Pkj as 


the answer. 

2 ) Else if f = /, randomly choose 0^,0, ^ ^ 79 ^/ set Pi^o = Oi.oPi + c^'i^0^1, Pi,1 = Oi.iPi +a{ iUi, add 

{STPi, ai,o, ai,i, a{ i, Pi,o, Pi,i) to Hi and return P^j as the answer. 

3 ) Else set a' q = 0 , a' ^ = 0 , randomly choose € Z/qZ, set Pi^ = P^.i = Oz.iPi/ add {STPi, Ui^, a{ q 

ai^i,a{ i,Pi o,Pi.i) to Hi and return Pjj as the answer. 


H2{CSi) queries: 

Let H2 be the list of previous answers to these queries. CH picks J G \l,qH2\ uniformly at random. Whenever 
Att issues a query H2{CSi), the same answer from the list H2 will be given if the request has been asked before. 
Otherwise, CH selects a random Pi G ’LfqL) if i = J, computes PcSi = PiP2, else sets PcSi = PiaP2- Einally, CH 
adds {CSi,PcSi, Pi) to H2 and returns PcSi as the answer. 

H‘i{mi,STPi,CSi) queries: 

Let H3 be the list of previous answers to these queries. Whenever Att issues a query {mi,STPi,CSi) to P3, the 
same answer from the list H3 will be given if the request has been asked before. Otherwise, CH first submits 
{STPi, 0 ) to Pi, then finds the tuple {STPi,ai,o,a'i Q,ai,i,a'i i,Pi,o,Pi,i) on Hi, and finally does the following: 

1 ) If STPi = STPi and CSi = CSj (we assume that Att can ask at most gn' < times such kind of queries), 
randomly choose K G [l,qH^]- 

a) If it is the K-th query, set Ci = —a' q/q;' 1, add {nii, STPi, CSi,Ci) to H3 and return a. 

b) Else select a random a G IjIcfL, add {rrii, STPi, CSi, Ci) to H3 and return a as the answer. 

2 ) Else, select a random a G 'LjqL, add {mi,STPi,CSi,Ci) to H3 and return d as the answer. 


Qs queries: When Att issues a private key query corresponding to STPi, the same answer will be given if the 
request has been asked before. Otherwise, CH looks for a tuple {STPi, ai,o, a' 1, Pi,o, Pz.i) on Hi; if none 

is found, CH makes an Hi query on {IDi,j) (j = 0 or 1 ) to generate such a tuple, and finally does as follows 

1) If IDi = IDj, abort. 

2 ) Else return {Di^o,Di,i) as the answer, where Di^ = ai,oUi, Di^i = ai,iUi. 
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Qe queries: The input of this query is (C' 5 'i, STPi); CH first makes Hi{IDi, 0 ), H2{CSi) and STPi, CSi) 

queries if they have not been made before, then recovers {STPi, ai^, a' q, a - i,Pi,o, Pi,i) from Hi, {CSi, PcSi, l^i) 
from H2, {mi,STPi,CSi,Ci) from H3 and generates the signature as follows 

1 ) If STPi = STPi,CSi = CSj, and c* = -a-choose Si^2 G Gl, compute Si^i = /3iS'i,2 + + ai,iCiUi, 

output = (mj||5'TPj||(5j,i,5'i,2))- 

2 ) Else if STP, = = C 5 j, abort. 

3 ) Else if STPi = STPi, choose G ’LjqL, set 5'i,2 = — / 3 “^(Pi,o + CiPi,i), compute Si^\ = riili{Pcsi), output 

M, = (m,||^TP,||( 5 ,,i, 5 ,. 2 )). 

4 ) Else, randomly choose G ’LjqL, compute S'i 2 = riPi, set Si^i = riil;{PcSi) + o-ioUi + CianUi, output 
M, = (m,||^TP,||( 5 ,,i, 5 ,. 2 )). 

Note that in the protocol, CSi is only for one-time use. Hence, it is reasonable for CH to abort when STPi = 
STPi,CSi = CSj and Cj ^ 

Qi queries: CH outputs the real identity of a vehicle based on fhe Trace phase using A. 


mi,...,TO„ 


*}; a common 


Response: Eventually, Att returns Ljjj = {S'TPi*,..., STP*}; n messages from the set = { 
string CS* and a forged aggregate signature cr* = {Sl,Sp). 

CH recovers {STP*,a*Q,a'i Q ,a*i -i^,a{ p,P*i^,P*P from Hi, {CS*, Pcs* , 13 *) from H2, {m*,STP*,CS*,c*) from 
H3 for alH, 1 < * < n. 

CH requires fhat CS* = CSj and fhere exisfs i G { 1 ,..., n} such fhat STP* = STPj, c* ^ —oi'i^o/oi'i^i and Att has 
not made a Qe query on {CS*, m*, STP*). Without loss of generality, we let i = 1 . In addition, the forged aggregate 
signature must satisfy 

n n 

e{Sl, P2) = e{S*^,Pcs* )e(^ P*o + E £^2)- 


i=l 


i=l 


Otherwise, CH aborts. 

If CH does not abort, by our setting, P*g = a* gPi -I- a'i*QPi, Pi*i = a*jPi -|- a'l^iPi, Pcs* = f3*P2', and for 
i ,2 < i < n, P*j = Q.*jPi, where j G { 0 , 1 }; hence, CH can compute 


abPi = (a-g + cla'li)-\Sl - E <oC^i 


2=2 


-E' 

2=2 


^Pi-r5*-(a{,g + c{a* )Pi). 


To complete the proof, we shall show that CH solves the given instance of the CDH^ 2 1 problem with probability 
at least e'. Eirst, we analyze the four events needed for CH fo succeed: 

• SI: CH does not abort in the above simulation. 

• S 2 : Att generates a valid and nontrivial aggregate signature forgery. 

. E 3 : Event E 2 occurs, CS* = CSj and there exists i G ( 1 ,..., n} such that STP* = STPi, c* ^ —ci'*g/a'}i (as 
mentioned previously, we assume i = 1). 

CH succeeds if all of these events happen. The probability Pr[S 1 A E 2 A E 3 ] can be decomposed as 


Pr[S 1 A E 2 A S 3 ] 

= Pr[S l]Pr[S 2 |S l]Pr[E 3 |E 1 AE 2 ]. 

It is easy to see that the above probability for CH to solve the CDH2 2 1 problem is 
e' = Pr[S 1 A E 2 A E 3 ] 

9m 9ffi 9m 9ff^ 9m 9m 9^^ 
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